Monthly Archives: March 2009

Policy tools – regulatory

Condon of CNET recounts Thomas Friedman and Chris Savage discussing the policy window currently open for regulating technology:

“Reaching the most democratic solutions will require making the Internet policy process as interactive as the Net,” said Nathan James, the program and outreach manager for the Media and Democracy Coalition, an affiliation of consumer, public interest, and labor groups.”If we don’t hear from a diversity of perspectives now, how will we ever know we charted the best course?”

Leave a comment

Filed under cyber policy, policy tools

An admonition to those who created/sold financial derivatives

Actually, this admonition applies to all who say they can deliver a future full of wealth:

See, I am against those who prophesy lying dreams, says the Lord, and who tell them, and who lead my people astray by their lies and their recklessness, when I did not send them or appoint them;  so they do not profit this people at all, says the Lord.

Jer. 23:32

Leave a comment

Filed under Uncategorized

Cybersec – paying attention

From CNET (Stephanie Condon).   Sen. Jay Rockefeller says:

“I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity.

So, according to Ms. Condon’s report, Sens. Rockefeller and Snow are drafting legislation to create the Office of the National Cybersecurity Advisor with omnipotent powers to disconnect any piece of critical networks which threaten US security.

Leave a comment

Filed under cybersecurity, policy tools

Credit Card Vendors policing cybersec

PIC agreements as a tool to secure cyberspace… at least it’s a private sector approach to a market problem.  SecurityFix notes:

According to a message posted at TrafficConverter2.biz and its sister sites, the program’s credit card payment processor pulled the plug on them shortly after our story ran.

Leave a comment

Filed under cybersecurity, policy tools

Who can do security – A problem of collaboration?

CNET’s Declan McCullagh summarizes the discussion of who should be managing cybersecurity (a good article).

Part of official Washington’s dissatisfaction with DHS involves disagreements with not just who should handle cybersecurity topics, but what should be done. Security hawks would like the government to have the authority to order around the private sector. Defense hawks would like more focus on offensive “cyberattacks.” Privacy advocates worry about Homeland Security’s expansive mission, and remember how the NSA and FBI fought for many years to restrict domestic use of encryption.

James Lewis of the Center for Strategic and International Studies said:

Our report concluded that the market would never deliver adequate security and the government must establish regulatory thresholds for critical infrastructure. We proposed a new, more flexible approach to developing regulation that was based on close cooperation with industry in developing standards and an avoidance of prescriptive regulations that spell out in precise detail what companies must do.

Amit Yoran of Netwitness Corporation testified:

In Rod Beckstrom’s resignation letter last week, he states, “NSA effectively controls DHS cyber efforts thru detailees, technology insertion and the proposed move of NPPD and the NCSC to a Ft Meade NSA facility. NSA currently dominates most national cyber efforts…The intelligence culture is very different than a network operations or security culture. In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.” This could not have been more accurately stated. We must enable civil government to succeed at this mission.

In reference to tools required to better work with private sector partners, she notes:

A deeper understanding of cyber defense and security operations in the private sector is required by those crafting the evolution of these programs or future programs so that adequate incentives can be appropriately incorporated into these programs. Such incentives might include tax consequences, fines, liability levers, public recognition, or even at an operational level, such as the sharing of threat intelligence, technical knowledge or incident response support to name just a few.

Mary Ann Davidson, CSO of Oracle summed:

In the same way our nation’s electrical grid, pipelines, roads and railways support our military but are not run by our military, our critical cyber infrastructures and the companies who create
them cannot simply fall under military control. Of course our government should defend
our cyber interests, but in the same way we would abhor a military presence at every
intersection, we must also ensure civilian control over the normal operation of our digital
highways.

David Powner of the Government Accountability Office offered the following recommendations:

Key Strategy Improvements Identified by Cybersecurity Experts
1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national
cybersecurity policy.
3. Establish a governance structure for strategy implementation.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem.
5. Create an accountable, operational cybersecurity organization.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing
vulnerabilities than on developing additional plans.
7. Bolster public/private partnerships through an improved value proposition and use of
incentives.
8. Focus greater attention on addressing the global aspects of cyberspace.
9. Improve law enforcement efforts to address malicious activities in cyberspace.
10. Place greater emphasis on cybersecurity research and development, including consideration of
how to better coordinate government and private sector efforts.
11. Increase the cadre of cybersecurity professionals.
12. Make the federal government a model for cybersecurity, including using its acquisition function
to enhance cybersecurity aspects of products and services.

Scott Charney, VP Microsoft’s Trustworthy Computing, spoke of the “imperative to radically evolve and elevate the
public private partnership model;  the need for an identity metasystem that makes the Internet
dramatically more secure while protecting important social values such as privacy and free
speech; and the necessity for a new regulatory model that protects innovation while providing
appropriate government oversight.”   He summarizes a history of public-private partnerships constructed to manage cybersecurity problems:

Since the 1990s, well-intended public private partnerships have been created to address this
need, yielding a perplexing array of advisory groups with overlapping missions, different
stakeholders with varying capabilities, insufficiently articulated roles and responsibilities, and
plans with literally hundreds upon hundreds of recommendations. In the few instances where
groups overcame institutional adversities and developed meaningful recommendations, the
repeated unwillingness or inability to implement those recommendations at the Federal level has
damaged the partnership significantly. Absent a comprehensive national strategy and clear
purpose, both government and private sector stakeholders will continue to struggle to be
effective.

Leave a comment

Filed under cybersecurity

Hacking as a policy tool

Austria wants to give their police “hacking” powers:

“Police will also be able to gain remote access to computers for seven days at a time, up to a total of 28 days or longer in exceptional circumstances, to allow them, to undertake forensic off-site examiniation,” Rees said.

“This could including cracking codes and searching computers for evidence of child porn, drug running, and money laundering.”

Offenses covered by the new laws include the supply, manufacture, or cultivation of drugs; possession, manufacture or sale of firearms; money laundering; car or boat re-birthing; and unauthorized access to or modification of computer data or electronic communications.

Leave a comment

Filed under cybersecurity

Counterintelligence is not a security issue?

That seems to be what some people within our national security apparatus thinks

Within the Office of the Director of National Intelligence you will find the Office of the National Counter intelligence Executive (ONCIX). ONCIX is headed by Dr. Brenner, the National Counter intelligence Executive and staffed by senior counter intelligence (CI) and other specialists from across the national intelligence and security communities. Dr. Brenner said, there is growing acceptance that we face a cyber counter intelligence problem, not a security problem. He has also stated that about 140 foreign intelligence surveillance organizations currently target the United States. As you may recall we reported earlier that Spy-Ops has estimated that there are currently 140 countries with active cyber warfare programs in place.

Leave a comment

Filed under cybersecurity